I. About this Supplemental Notice
In order to offer domain name registration services (the “Services”), several Alibaba entities are required to collect, store and share (i.e. “Process”) data about the domain name holders (this data is called “Registrant Data”).
This Processing is in particular required by Alibaba’s contracts with domain name registry operators (entities responsible for providing registry services such as customer database administration, zone file publication, DNS and DNSSEC operation and policy determination), and the Internet Corporation for Assigned Names and Numbers (ICANN), which in turn enable Alibaba to provide the Services.
The Alibaba entities in question are the Alibaba Cloud entity you contract with for the Services, and Alibaba.com Singapore E-Commerce Private Limited (the “Registrar”).
II. What is Registrant Data?
Registrant Data is information about individuals and/or their organization that is Processed by Alibaba in connection with the Services. The following Registrant Data are obligatory: (i) the registration data that Alibaba collects for registration of domain names (e.g. names, postal addresses, e-mail addresses, telephone numbers, fax numbers, for the various registrant, administrative, technical and billing contacts that are provided), (ii) IP addresses and names of the primary nameserver and secondary nameserver(s) for the registered domain name; (iii) data in and about communications relating to registration applications, confirmations, modifications, terminations, or any other correspondence with you (as Registrant), or with another party, relating to use of the Services (e.g., when investigating complaints), and (iv) our records indicating your acceptance of the Service Agreement.
III. Why is Registrant Data Processed, and who is it shared with?
Registrant Data is Processed for the following purposes, as set out in Section 4.4 of ICANN’s May 2018 Temporary Specification (terms used here have the same meaning as in that Temporary Specification):
• Reflecting a domain name holder’s rights to a registered domain name, and ensuring that the domain name holder (such as yourself) may exercise those rights;
• Providing access to accurate, reliable, and uniform Registrant Data based on legitimate interests not outweighed by the fundamental right of relevant data subjects, consistent with the European Union General Data Protection Regulation (EU) 2016/679 (the “GDPR”);
• Enabling a reliable mechanism for identifying and contacting domain name holders for a variety of legitimate purposes more fully set out below;
• Enabling a mechanism for the communication or notification of payment and invoicing information and reminders to domain name holders;
• Enabling a mechanism for the communication or notification to the domain name holder of technical issues and/or errors with a registered domain name or any content or resources associated with a registered domain name;
• Enabling a mechanism for the Registry Operator, Alibaba to communicate with or notify the domain name holder of commercial or technical changes in the domain in which the registered domain name has been registered;
• Enabling the publication of technical and administrative points of contact administering the domain names at the request of the domain name holder;
• Supporting a framework to address issues involving domain name registrations, including but not limited to consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;
• Providing a framework to address appropriate law enforcement needs;
• Facilitating the provision of zone files of gTLDs to Internet users;
• Providing mechanisms for safeguarding domain name holders’ Registrant Data in the event of a business or technical failure, or other unavailability of Alibaba or a Registry Operator;
• Coordinating dispute resolution services for certain disputes concerning domain names; and
• Handling contractual compliance monitoring requests, audits, and complaints submitted by Registry Operators, Alibaba, domain name holders, and other Internet users.
Examples of the Processing of Registrant Data for the purposes stated above include:
• Inclusion in publicly-searchable Registration Data Directory Services (e.g. WHOIS directories, and their successors based on the Registration Data Access Protocol (RDAP)), which provide query-based access (although please note — per the Temporary Specification, the inclusion of most Registrant Data in free public search results via these services may for the time being be subject to individuals’ prior consent, apart from organization name, state/province, and country. Access to the full (non-public) data will be granted on a more case-by-case basis, based on the legitimacy of the access. This policy, determined by ICANN, is subject to change in future; for more details, please see the Temporary Specification, in particular its Appendix A);
• Research on an aggregated statistical basis;
• Day to day operations of Alibaba or a Registry Operator, including sharing Registrant Data with Alibaba Cloud, the Registrar or the Registry Operator that provide legal, accounting, delivery, installation, system support, escrow, marketing, and other Registry services on their behalf;
• Email contact (by Alibaba Cloud, the Registrar or the Registry Operator) with the domain name holder, as required by any acceptable use policy;
• Transfer and further processing of Registrant Data to/by the Escrow, UDRP, URS, Trademark Clearinghouse and emergency back-end registry operator (“EBERO”) services.
• Processing that Alibaba, ICANN or a Registry Operator has a good faith belief is required by the law enforcement agencies, or a court order or other compulsory legal process applicable to Alibaba, ICANN, the Registrant or the Registry Operator; and
• As may be required by ICANN in accordance with a “zone file” access request .
In connection with the above,
• The Registrar is required to make certain Registrant Data available to ICANN for inspection by ICANN. Registrar will share certain Registrant Data with ICANN to resolve compliance-related inquiries and respond to ICANN audits;
• The Registrar and Registry Operator must regularly submit an electronic copy of certain Registrant Data to an escrow agent mutually approved by the Registrar, the Registry Operator, and ICANN, where it will be held in escrow in order to keep the domain name operating in the event we leave the domain-name registration business.
IV. If the Registrant Data is Personal Data protected by the EU GDPR, what is the legal basis for that Processing?
In relation with the GDPR, unless the legal basis for the Processing of Registrant Data is–
i. necessity to enter into or perform a contract with you (in particular, the contract for the Services),ii. compliance with obligations laid down in EU or EU Member State law (for instance, where we are legally obligated to obtain, retain, search and/or disclose Registrant Data at the request of a court or investigating authority),
iii. necessity to perform a task in the public interest, where EU or EU Member State law requires or permits the Processing of Registrant Data to fulfil that task, or
iv. you have been asked to give, and have freely given, consent to such Processing (in which case you can non-retroactively revoke such consent at any time),
V. How long does Alibaba retain Registrant Data?
By default, and subject to applicable law, we retain Registrant Data that is Personal Data for the duration of your use of the Services and approximately two years thereafter, to ensure its continued availability for the purposes specified above.